10.2. IDP Traffic Shaping
10.2.1. Overview
The IDP Traffic Shaping feature is traffic shaping that is performed based on information coming
from the NetDefendOS Intrusion Detection and Prevention (IDP) subsystem (for more information
on IDP see Section 6.5, “Intrusion Detection and Prevention”).
The Problem of Bandwidth Usage
A prime use of IDP Traffic Shaping is dealing with the traffic management issues caused by
bandwidth hungry applications. A typical case is traffic related to peer-to-peer (P2P) data transfer
applications with examples of this including Bit Torrent and Direct Connect. The high traffic loads
created by P2P transfers can have a negative impact on the quality of service for other network
users. An ISP or a corporate network administrator may therefore need to control the bandwidth
consumed by such applications and IDP Traffic Shaping provides this ability.
Combining IDP and Traffic Shaping
One of the issues with controlling a traffic type such as P2P is to be able to distinguish it from other
traffic. The signature database of NetDefendOS IDP already provides a highly effective means to
perform this recognition and as an extension to this, NetDefendOS also provides the ability to apply
throttling through the NetDefendOS traffic shaping subsystem when the targeted traffic is
recognized.
IDP Traffic Shaping is a combination of these two features, where traffic flows identified by the
IDP subsystem automatically trigger the setting up of traffic shaping pipes to control those flows.
10.2.2. Setup
The steps for IDP Traffic Shaping setup are as follows:
1.
Define an IDP rule that triggers on targeted traffic.
The IDP signature chosen determines which traffic is to be targeted and the signature usually
has the word POLICY in its name which indicates it relates to specific applications types.
2.
Select the rule's action to be the Pipe option.
This specifies that IDP Traffic Shaping is to be performed on the connection that triggers the
rule and on subsequent, related connections.
3.
Select a Bandwidth value for the rule.
This is the total bandwidth that will be allowed for the targeted traffic. The traffic measured is
the combination of the flow over the triggering connection plus the flow from any associated
connections, regardless of flow direction.
Connections opened before IDP triggered will not be subject to any restriction.
4.
Optionally enter a Time Window in seconds.
This will be the period of time after rule triggering during which traffic shaping is applied to
any associated connections that are opened.
Typically, a P2P transfer starts with an initial connection to allow transfer of control
information followed by a number of data transfer connections to other hosts.
It is the initial connection that IDP detects and the Time Window specifies the expected period
10.2. IDP Traffic Shaping
Chapter 10. Traffic Management
394
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...